SAP SE, a global software company headquartered in Waldorf, Germany, has agreed to pay combined penalties of more than $8 million as part of a global resolution with the Departments of Justice, Commerce, and the Treasury.

In voluntary disclosures the Company made to the three agencies, SAP acknowledged violations of the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations. As a result of its voluntary disclosure to DOJ, extensive cooperation, and remediation costing more than $27 million, United States Attorney’s Office for the District of Massachusetts and DOJ’s National Security Division entered into a Non-Prosecution Agreement with SAP. Pursuant to that agreement, SAP will disgorge $5.14 million of ill-gotten gain.

Beginning in approximately January 2010 and continuing through approximately September 2017, SAP, without a license, willfully exported, or caused the export, of its products to Iranian users. SAP’s violations occurred in two principle ways.

First, between 2010 and 2017, SAP and its overseas partners released its U.S-origin software, including upgrades, and/or software patches more than 20,000 times to users located in Iran. SAP senior management was aware that neither the Company nor its U.S.-based Content Delivery Provider used geolocation filters to identify and block Iranian downloads, yet for years the Company did nothing to remedy the issue. The vast majority of the Iranian downloads went to 14 companies, which SAP Partners in Turkey, United Arab Emirates, Germany, and Malaysia knew were Iranian-controlled front companies. The remaining downloads went to several multinational companies with operations in Iran, which downloaded SAP’s software, updates, and/or patches from locations in Iran.

Second, from approximately 2011 to 2017, SAP’s Cloud Business Group companies (CBGs) permitted approximately 2,360 Iranian users to access U.S.-based cloud services from Iran. Beginning in 2011, SAP acquired various CBGs and became aware, through pre-acquisition due diligence as well as post-acquisition export control-specific audits, that these companies lacked adequate export control and sanctions compliance processes. Yet, SAP made the decision to allow these companies to continue to operate as standalone entities after acquiring them and failed to fully integrate them into SAP’s more robust export controls and sanctions compliance program.

While this conduct constituted serious violations of U.S. law involving the release of U.S. origin technology and software through cloud servers and online portals, this Non-Prosecution Agreement recognizes the importance of voluntary self-disclosure and cooperation with the government. DOJ and the District of Massachusetts reached this resolution with SAP based upon its voluntary self-disclosure as well as SAP’s extensive internal investigation and cooperation over a three-year period. During this time, SAP worked with prosecutors and investigators, producing thousands of translated documents, answering inquiries, and making foreign-based employees available for interviews in a mutually agreed upon overseas location. AP also timely remediated and implemented significant changes to its export compliance and sanctions program, spending more than $27 million on such changes, including, among other things detailed in the NPA: (1) implementing GeoIP blocking; (2) deactivating thousands of individuals users of SAP cloud based services based in Iran; (3) transitioning to automated sanctioned party screening of its CBGs; (4) auditing and suspending SAP partners that sold to Iran-affiliated customers; and (5) conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt GeoIP blocking and requiring involvement of the Export Control Team before acquisition.

Concurrently with this agreement, SAP is entering into Administrative Agreements with the Department of Commerce, Bureau of Industry and Security (“BIS”) and the Department of the Treasury, Office of Foreign Assets Control (“OFAC”). Among other things, the BIS settlement agreement requires SAP to conduct internal audits of its compliance with U.S. export control laws and regulations, and produce audit reports to BIS for a period of three years.

“Today, SAP has admitted to thousands of export violations spanning six years that violated the U.S. embargo against Iran and endangered the national security of the United States,” said Acting U.S. Attorney Nathaniel Mendell. “This settlement should serve as a strong deterrent message to others that the release of software and sale of product and services on the internet are subject to U.S. export laws and regulations.”

“Today’s first-ever resolution pursuant to the Department’s Export Control and Sanctions Enforcement Policy for Business Organizations sends a strong message that businesses must abide by export control and sanctions laws, but that when they violate those laws, there is a clear benefit to coming to the Department before they get caught,” said Assistant Attorney General John C. Demers for the National Security Division. “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, we heed this lesson.”

“This action demonstrates that the Office of Export Enforcement will continue to leverage our unique authorities to enforce our nation’s export control laws and to deter new violations. Violators of the EAR will be held accountable through criminal, civil penalties, or both when appropriate,” said William Higgins, Special Agent in Charge of the Department of Commerce’s Office of Export Enforcement, Boston Field Office. “These laws are designed to protect U.S. Foreign Policy and National Security and will be vigorously investigated.”

“By supplying Iran with millions of dollars’ worth of illegally exported software and services, SAP circumvented U.S. economic sanctions against Iran—pressure that is intended to end Iran’s malign behavior. However, it was SAP that first uncovered and reported this sanctions violation, and we would like to thank them for working hard to enhance their compliance program to prevent future violations,” said Joseph R. Bonavolonta, Special Agent in Charge of the Federal Bureau of Investigation, Boston Division. “Let this case be a lesson to others that it’s better to self-report and own up to one’s mistakes than undermine U.S. foreign policy and adversely affect our national security.”

“Among HSI’s priorities is the commitment to ensuring that sensitive U.S. products, to include software, are not illegally exported to embargoed destinations, such as Iran,” said William S. Walker, Acting Special Agent in Charge for Homeland Security Investigations, Boston. “It will continue to be incumbent upon U.S. companies to guarantee that foreign subsidiaries dealing in their products remain in compliance with U.S. sanctions and export control regulations. HSI will continue to coordinate with our law enforcement partners to safeguard sensitive technologies produced in the United States from ending up in the hands of our adversaries.”

Acting U.S. Attorney Mendell, Assistant Attorney General John Demers, SAC William Higgins, SAC Bonavolonta, and Acting SAC William Walker made the announcement today. Assistant U.S. Attorney B. Stephanie Siegmann, Chief of Mendell’s National Security Unit; Elizabeth Cannon, Deputy Chief of Export Controls and Sanctions, National Security Division; and Heather Schmidt, Senior Trial Attorney, National Security Division, oversaw this investigation and negotiated this agreement.